Administrator Password - winik.sys

Discussion in 'malware problems & news' started by sirkob, May 10, 2005.

Thread Status:
Not open for further replies.
  1. sirkob

    sirkob Registered Member

    Joined:
    May 7, 2005
    Posts:
    3
    I found the winik.sys virus on my wife’s laptop. I tried both HiJackThis and KillBox to remove the winik.sys and the files in the ttqopttt directory it created. However, neither one removed the files.

    I was going to remove them from DOS by going to the XP recovery mode. However, it requesting the Administrators password and will not accept the one I use to log into XP as Administrator. Is there a default or another password it is looking for? Any help would be greatly appreciated.

    Any ideas on removing these files and get me back in good graces with the wife would be helpful.

    Thanks
    Brian
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi sirkob, I have moved your thread to here where it will receive better attention than in the TDS3 support forum.

    Whoever installed windows on your wife's laptop will have had to made an administrators Pass Word.
    I have known shop installed PC's set with a PW of anministrator or just admin. Might be worth a try :)

    Pilli
     
  3. sirkob

    sirkob Registered Member

    Joined:
    May 7, 2005
    Posts:
    3
    Pilli,

    I tried both an neither worked. What I do not understand is why it is not accepting the Administrator PW used to log into XP.

    Any utilities other then Killbox and HiJackThis I can try?

    Thanks for your time and efforts.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    When you install XP you have to have a main Admin PW before user accounts are set up. If there is only one user then no PW for that one user is require i.e you can switch on your machine and it will boot into windows without the need for a PW. However, if more than one user is set then a PW is required for each user by default.

    If you are a user with full Admin capabilities then you should be able to log in to safe mode using that account and run any cleanup programs needed to clean the malware as only basic system services are loaded in Safe mode. You may even be able to delete that winik.sys if you can locate it.

    HTH Pilli :)
     
  5. sirkob

    sirkob Registered Member

    Joined:
    May 7, 2005
    Posts:
    3
    Pilli,

    Thanks for the follow up. Unfortunately the winik.sys can not be deleted in safe mode. That’s with this site originally, recommended going to DOS, or using HiJackThis and KillBox. Since the two utilities did not work I need to be able to get to DOS. This is where it is not accepting passwords for the Administrator account.

    Any other ways to get to the DOS mode?
     
  6. midas

    midas Registered Member

    Joined:
    May 16, 2005
    Posts:
    1
    Brian-

    Don't worry...

    If you can still log into windows-
    Click [Start] --> Run --> Type "command" and click OK.

    Now type (# stands for the prompt, dont type it)

    # net user Administrator *

    This will prompt you for a password twice. This will become the new Administrator password. Careful! Only use normal letters and numbers.. sometimes Recovery console has problems recognizing passwords.


    Save a Backup Copy of Boot.ini
    1. Right-click My Computer, and then click Properties.
    -or-
    Click Start, click Run, type sysdm.cpl, and then click OK.
    2. On the Advanced tab, click Settings under Startup and Recovery.
    3. Under System Startup, click Edit. This opens the file in Notepad ready for editing.
    4. In Notepad, click File on the Menu bar, and then click Save As.
    5. Right click in an empty area of the Save As dialog box, point to New in the Context menu, and then click Folder.
    6. Type a name for the new folder, for example temp, and then press the ENTER key to create the folder named temp.
    7. Double-click the new folder named temp, and then click the Save button to save a backup copy of the Boot.ini file.



    Edit the Boot.ini File
    To view and edit the Boot.ini file: 1. Right-click My Computer, and then click Properties.
    -or-
    Click Start, click Run, type sysdm.cpl, and then click OK.
    2. On the Advanced tab, click Settings under Startup and Recovery.
    3. Under System Startup, click Edit.


    Edit your boot.ini so it has-

    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Safe with Command Prompt" /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot

    From now on when you reboot, a screen will pop up giving you the choice to enter safe mode with command prompt. This comes in handy when scanning for virii.

    If you cant delete somthing..
    # attrib
    then
    # attrib /?
     
  7. I have the same problem The virus is Root.Win32.Agent
    i m using kaspersky anti virus personel 5
    i m quarantined the winik.sys file. but i m worry if these stages that you told works or not. i m not an advanced computer user. all helps would be appriciated.. thnx for your time..
     
  8. sorry virus name is Rootkit.Win32.Agent.q
     
  9. blah02

    blah02 Guest

    First do a regular virus scan in SafeMode. The only thing remaining would be
    1. C:\WINDOWS\system32\drivers\winik.sys
    2. C:\Program Files\<lowercasegibberish>

    You must have a Windows XP install disk (or any other existing method of accessing harddrive without booting winik.sys, which is why Safe Mode doesn't work) and have the appropriate drivers ready if you have a non-IDE harddrive so you can access C:\WINDOWS via DOS in (R)epair mode. Change directory to C:\WINDOWS\system32\drivers and "erase winik.sys". Reboot into regular Windows and manually trash C:\Program Files\<lowercasegibberish>.

    AND YOU ARE FREEEEEE!
     
Loading...
Thread Status:
Not open for further replies.